image.png
一、CA免费证书的获取请参照我上一篇文章
http://www.jianshu.com/p/dd8daccc9cde
二、在Nginx中安装证书
https://yundun.console.aliyun.com/?spm=5176.2020520141.1001.4.31050c2aZ0NG6T&p=cas#/cas/download/214242323470956
以下是我Nginx其中一个Host配置
server {
listen 80;
server_name cn.cctv.cc www.cctv.cc cctv.cc *.cctv.cc;
root /usr/local/soft/web_sites/cctv/cn_cctv/web;
index default.html index.html index.htm;
#告诉浏览器有效期内只准用 https 访问
add_header Strict-Transport-Security max-age=15768000;
#永久重定向到 https 站点
return 301 https://cn.cctv.cc$request_uri;
location / {
root /usr/local/soft/web_sites/cctv/cn_cctv/web;
index default.html index.html index.htm;
}
location ~ \.ejf$ {
#Nginx转向内部Tomcat时使用http通信
proxy_pass http://127.0.0.1:8080;
proxy_set_header X-Real-IP $remote_addr;
}
location ~.*\.(js|css|html|png|gif|htm|shtml|jpg)$ {
expires 30d;
}
}
server {
listen 443;
server_name cn.cctv.cc;
ssl on;
root /usr/local/soft/web_sites/cctv/cn_cctv/web;
index default.html index.html index.htm;
##证书路径
ssl_certificate ../cert/214242323470956.pem;
#私钥路径
ssl_certificate_key ../cert/214242323470956.key;
ssl_session_timeout 1m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
root /usr/local/soft/web_sites/cctv/cn_cctv/web;
index default.html index.html index.htm;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_connect_timeout 240;
proxy_send_timeout 240;
proxy_read_timeout 240;
}
location ~ \.ejf$ {
#Nginx转向内部Tomcat时使用http通信
proxy_pass http://127.0.0.1:8080;
proxy_set_header X-Real-IP $remote_addr;
}
}
#仅允许指定域名访问,不可用ip访问
server {
listen 80 default_server;
server_name _;
return 403;
}
三、配置Tomcat
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000"
redirectPort="443" proxyPort="443" />
重点是这儿的proxyPort="443"
